Excluding unwanted updates from ADR

In a previous post I wrote about how to uninstall (or “Approved for Removal” in WSUS terms). But how do we exclude updates from appearing in our Software Update Groups (SUG) created by out Automatic Deployment Rules (ADR)?

Before you’re asking, of course I’m using ADR’s for patching the whole environment! Everyone should!


A week after we deleted KB123456 from our deployment it reappeared. Since we know that this is a production breaking update we do not want it to appear in our update deployments.


To understand how to solve this we first need to understand how ADR works. I won’t go into detail about the mechanics and logs related to ADR, but the key fact that needs to be known here is:

Each time an ADR runs it completely regenerates the SUG associated with the ADR.

With this in mind the solution should be pretty obvious: Exclude the update from the ADR rule and rerun the ADR to regenerate the SUG.

To exclude an update navigate into Software Library workspace, expand Software Updates and click on Automatic Deployment Rules. Double-click on the ADR which contains the bad updates to open it’s properties windows. Click on the tab Software Update.


If you haven’t already added Search criteria for Title, add it. Click on Title to open the Search Text dialog.


Excluded updates should be added with “-” prefix follwed by the KB-id, in this example it would be “-KB123456”. Click OK twice to save and close the changed to the ADR.


Right-click on the modified ADR and choose Run Now. This will rerun the ADR and completely regenerate the SUG and deployment without the excluded update.


The key mechanic here is knowing that the ADR recreates the whole SUG each time it runs. So changing a critera and running the ADR will create a completely new SUG.

The process of adding an update exlusion and exeuting the ADR update could be done with the help of powershell. Below is a quick and dirty example that adds “-KB121337” to all ADR that has a Title criteria.

#Import-Module "E:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
$SiteCode = "1st"
$ExcludeKB = "-KB121337"

$adrs = Get-CMSoftwareUpdateAutoDeploymentRule

foreach ($adr in $adrs) {
 $xml = New-Object XML
 $TitleMatchRules = $xml.SelectSingleNode("/UpdateXML/UpdateXMLDescriptionItems/UpdateXMLDescriptionItem[@PropertyName='LocalizedDisplayName']/MatchRules")
 if ($TitleMatchRules) {
 Write-Output "Exists."
 $xmlinput = $xml.CreateElement("string")
 $xmlinput.InnerText = $ExcludeKB
 ($xml.SelectSingleNode("/UpdateXML/UpdateXMLDescriptionItems/UpdateXMLDescriptionItem[@PropertyName='LocalizedDisplayName']/MatchRules")).AppendChild($xmlinput) | Out-Null
 $AdrID = $adr.AutoDeploymentID
 $AdrXML = $xml
 $AdrWMI = Get-WmiObject -Namespace root\sms\site_$SiteCode -Query "SELECT * FROM SMS_AutoDeployment WHERE AutoDeploymentID=$($adr.AutoDeploymentID)"
 Set-WmiInstance -Path $($AdrWMI.__PATH) -Arguments @{UpdateRuleXML=$($AdrXML.OuterXml)}
 Invoke-CMSoftwareUpdateAutoDeploymentRule -Id $AdrID
 } else { Write-Output "Is null." }

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s